fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pre-exec script to handle necessary directory and network config

Browse Source
This commit is contained in:
Richard Carter
2024-04-26 19:01:28 -04:00
parent a3d0d94500
commit b4e816dbdf
1 changed files with 103 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixarr/sabnzbd/default.nix
+103 -1
View File
@@ -8,7 +8,62 @@ with lib; let
cfg = config.nixarr.sabnzbd;
defaultPort = 8080;
nixarr = config.nixarr;
# downloadDir = "${nixarr.mediaDir}/usenet";
setDirsCmds = ''
| initool set - misc download_dir ${nixarr.mediaDir}/usenet/.incomplete \
| initool set - misc complete_dir ${nixarr.mediaDir}/usenet/manual \
| initool set - misc dirscan_dir ${nixarr.mediaDir}/usenet/.watch \
'';
mkSetHostWhitelistCmd = with lib.strings; (hosts: ''
| initool set - misc host_whitelist ${concatStringsSep "," hosts} \
'');
mkSetRangeWhitelistCmd = with lib.strings; (ranges: ''
| initool set - misc local_ranges ${concatStringsSep "," ranges} \
'');
# todo: need to figure out what to do on first sabnzbd boot when no config file exists
mkINIInitScript = (
{
sabnzbd-state-dir,
access-externally ? true,
whitelist-hosts ? [],
whitelist-ranges ? []
}:
pkgs.writeShellApplication {
name = "set-sabnzbd-ini-values";
runtimeInputs = with pkgs; [initool];
text = with lib.strings; (
''
cat ${sabnzbd-state-dir}/sabnzbd.ini \
'' +
# set download dirs
setDirsCmds +
# set host to 0.0.0.0 if remote access needed
optionalString access-externally ''
| initool set - misc host 0.0.0.0 \
'' +
# set hostname whitelist
optionalString (builtins.length whitelist-hosts > 0) (
mkSetHostWhitelistCmd whitelist-hosts
) +
# set ip range whitelist
optionalString (builtins.length whitelist-ranges > 0) (
mkSetRangeWhitelistCmd whitelist-ranges
) +
''
> ${sabnzbd-state-dir}/sabnzbd.ini
''
);
}
);
in {
options.nixarr.sabnzbd = {
enable = mkEnableOption "Enable the SABnzbd service.";
@@ -40,6 +95,40 @@ in {
description = "Open firewall for SABnzbd";
};
whitelistHostnames = mkOption {
type = types.listOf types.str;
default = [ config.networking.hostName ];
defaultText = "[ config.networking.hostName ]";
example = ''[ "mediaserv" "media.example.com" ]'';
description = ''
A list that specifies what URLs that are allowed to represent your
SABnzbd instance. If you see an error message like this when
trying to connect to SABnzbd from another device...
```
Refused connection with hostname "your.hostname.com"
```
...then you should add your hostname(s) to this list.
SABnzbd only allows connections matching these URLs in order to prevent
DNS hijacking. See <https://sabnzbd.org/wiki/extra/hostname-check.html>
for more info.
'';
};
whitelistRanges = mkOption {
type = types.listOf types.str;
default = [ ];
defaultText = "[ ]";
example = ''[ "192.168.1.0/24" "10.0.0.0/23" ]'';
description = ''
A list of IP ranges that will be allowed to connect to SABnzbd's
web GUI. This only needs to be set if SABnzbd needs to be accessed
from another machine besides its host.
'';
};
vpn.enable = mkOption {
type = types.bool;
default = false;
@@ -68,6 +157,19 @@ in {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ defaultPort ];
systemd.services.sabnzbd.serviceConfig = {
ExecStartPre = mkBefore [
(
"+" + mkINIInitScript {
sabnzbd-state-dir = cfg.stateDir;
access-externally = cfg.openFirewall;
whitelist-hosts = cfg.whitelistHostnames;
whitelist-ranges = cfg.whitelistRanges;
} + "/bin/set-sabnzbd-ini-values"
)
];
};
# Enable and specify VPN namespace to confine service in.
systemd.services.sabnzbd.vpnconfinement = mkIf cfg.vpn.enable {
enable = true;